IETF Logo Mail Archive

[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

Justin Richer <jricher@mit.edu> Fri, 09 August 2024 17:58 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2A6C14F6E8 for <wimse@ietfa.amsl.com>; Fri, 9 Aug 2024 10:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m_cEDsSg25zi for <wimse@ietfa.amsl.com>; Fri, 9 Aug 2024 10:58:54 -0700 (PDT)
Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11022142.outbound.protection.outlook.com [52.101.43.142]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D280C14F6E9 for <wimse@ietf.org>; Fri, 9 Aug 2024 10:58:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=R2UrPal2k4xoqjEbg403dwax9uT6yUtomuTJ0yqK5H/qmC5lJBuahAuqf6gmBEVGVxaK92hFAjkhV/LQldzmpeMUO7UMJH63q7btecYt3AhLAW3ZzJcEV6nX5o1ox2XvlXZ6v5fZobxIrLdto+9omj6GeRKaLvt6mwkvO05QznnDknm2q4lP15ie9XpVmty345JPOD357qDaWe+AJvnEEJEWFJ5Fnb/ohtKDY1EuYXPMKOn9wy/t+Q3e9t+jMPu7OltE9/zIdKE+XxOyWldBYU3V71MW37mX/wVeLsSRDp5rJIARaFdPT35q6iwQuTtFerbxOSTsCP8xBGr3UmsGMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ktDJWB2yMKEbkbRqgIssxMl/GfjZOIztFxParYNSvxg=; b=YK+NO1igSRWWvJ/i6yrEb5aGWP54HoLam+qN3+wmReGw/Z438AtjbjXJzYwU6WQsOoV5TVrisdPzuf/Uhq4jzGCTgiF09cwO3eHhDuLhbpWSOS7MNnewI+VVsgWVoPx0n+7fKtJuJNoZvA9UUJxFSUxhkevg3L/O/1q5LH1iOtBVDsFpQDd3dTsSmcQL447g5esN/+bJUsrhCkpeEchZYhyRFhvBdfW8jmfYOniSztPMEbvYtUue1SBmXL2t96TRjXM2ObQP2nbztRo+hxLzOi1xZG3M0smYje+8rZbFCX0ethutZi8J5q4Md/pMTxxtWwy2m+3Mu98Xv1z2XRgxEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktDJWB2yMKEbkbRqgIssxMl/GfjZOIztFxParYNSvxg=; b=i4/ul+m9GD81twT/gNneFOVDIaCLugqwAPInvZm71IBuBl07Iqktusk+xx1pUb52catq5Jyh9kdYfvbXggO24vuupJBhwkd3Y0kuTMO+3RDUAttb5BXwPPrpGIk9BmOeN+bXFd+eDoLOQJnyjHchkrDkxYHEKOFUvObBAxA53Ic=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by DM8PR01MB6885.prod.exchangelabs.com (2603:10b6:8:12::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.15; Fri, 9 Aug 2024 17:58:51 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%6]) with mapi id 15.20.7828.023; Fri, 9 Aug 2024 17:58:51 +0000
From: Justin Richer <jricher@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Thread-Index: AQHa6oXKurLhfd5mO0aky26IcKTAPg==
Date: Fri, 09 Aug 2024 17:58:51 +0000
Message-ID: <121FFF40-C424-458A-ADE6-7A563B43BB4D@mit.edu>
References: <19EE151F-D6EB-0140-A04B-24584C526E1D@hxcore.ol>
In-Reply-To: <19EE151F-D6EB-0140-A04B-24584C526E1D@hxcore.ol>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|DM8PR01MB6885:EE_
x-ms-office365-filtering-correlation-id: ac866d6a-2af3-4a47-97c6-08dcb89ced35
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: aEwKWHD9i12H7SV6mvP0x5Il0uVo3dnqxrP+zf+xhZm1FrBGJsM5B1oxk5SD6JKhcX4f8LdY+MsLQqshFiGRLoAI1Up899N303rJreu9FNaVBjvbIiqLi7QMVzX1LpbKkPMw2t6VVBP2/DTcwe9cq0RRlA7uR0uBHzmk14QrVFfJPeGCpm/wo7xvnbK1gHedFgnB1g/PVlonWwGEKgwF62r6gwAbt4muhdyySCwysgot44j1auwkPuH4Gsqox7qUujHT3hoPY52I5mHuiHk/TbEf9ielgbSBK8ZXSCTge3rTblvGeAnasMiQ/hqXz3WYSPOTUe+9HO0cxdAguepvr8SspnzC6O5clt7n3AVPgqdnP0u7pY/DTH3Pmmmk7pxHGw+y3K/YxcU6KAOczY+jhpCEIfin/j5ujNH+QFFGT5kzdHbpprpHqb2IxHKp8t4ZOhzJf1vqYRnrb8+N1u6I8WJay7FotdJDmn1S7EfgIT4X0SX1lm0jc++EFt+lmIuSSip81GRYS3gMgdlcSeCFZAd1LPOUldSLP/OqkPTdZJ/A9QjzibljayoG4u+i9iFJG4VP56mwLvfj99WpHFfp+LxaOGmSVru1eeu3e9hIFvxO/6f0FomzruseCtv81rsiMpNpaDW14vYGSSg2jHaOGvga64DfvJB7JcEV6TleW1wxoq6dK1QyktZy8WUOeF2pM5yUre5Aj9iBdQOqqkGTvYpQFnLOMiVyoRh4LrTexQ6sng/8VEZ9jtyC+4R+SiWrEQ1ID6+YFcQpf76Krdn3HJTs0YOTIKnypM7GyEOu4XJUDLkKBPLJUlagUe7cofI/tJ87oD3cd1tTkWHW7OVM3+T8VUI+wgkKiSrIoroiVQyEWPOoi75TLhFdvtMJ55Uo72Ez3Fd/8Bz84RMsZZTSHYnOepFTcdpbflRzdYZIqA2urtAsk0CdLF+2c57M2IPCMFkWFXHMknbJYdo8b9b0GvdwokiNiNpoY/q5ONmciPUdL+r3AxE+NaIajK4YMVqwd7EHcq05S+MVjZxcqM7zcym/CPsaU9Pfr0ML6VvgjkDc6CGoCGBN5u1a7iUP9xep4ocaRh3qN0ZSoH2ZiqmvRFEphJE+BnqYhA28E8uyCnPPUaCHsZEuKN2Jmr6ZT0kMZYh5JsiRXfmGUz80kMuCfdvDSGQzf5tRjj7wzFqTzK1ubx12LG0dQUZIkoEPZKcHi6E6ht2rjqYcfR7ggnAscGVQzX7x9yokjSCyepELI3LgOVtz/TjkVNXKLg3Oiwq9YhaKIskxdLIrqun1VSUHrFL8sK0147um3tYiZGvsFyLeCfUYNFtpe6ExitMhIoxameV3RXRz32ngt5J8k1wr1BMvRkLIAQHm3/g/cuNwBbQ=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: KSokexb1NJ26Fwm0j9SwRJunB7lGQQFemBceo1qx0fvsAfPXqcbRjnsPzJvIRNtJYsPANsSlP+6VS7LL1nvcOanpim9dJIT/DqTaY3R4SkoKDP6bXi3WLEnVZdhtTjrDPassAZ1VZX858RHiwo/dLPElImrZtk7KCE3iKtJlXEJp2QSaFNvkJaY+aGQUlfmyl5sZTqriG3A7/NclD99YbVIlQK3uKPyLIlfl7l7qxAhvW8+sUhLU67erygWhQxzklJG1Sp0JsNKrLVYzoSRu/4TsVLCqDn39tda2VU4bDqfuLqvA35F8TL63qGYgZV7d6AEuSy9jbXK9OILH7WrLX4HXVCZT/uLcdNmscEcGpTrTmKA5QuxemcDQ6Eqi3M6styB7opRb7+G/xwZDIjrtrO3uIXZe5BQBn2co92OYDXsQiGSeQtOg/RbHmgrW65JHPL6pHqPVTtq8Tcyoh4XDBDeu+hjF++2YRoLqLj+MPnSq7vZNc8sQbCvQ1ZIrrN6dH9WITbnO4WR6jiitmEicUOb0kxqshA2oiY5fUorKCxcyGUHGjVtuoXwzlvOSBK//m5pv/45sJzbqQR9wXJhgWv12mKgar4npWw5iZz4we2IOu+7Xm6j9eybPNtOjHSog6Fx7LAZK4jcMFTomW9c89L0m6AXe0Z8th9iUNexu/TdKS08qmA2U+HqyaEaH9gkcl+xuFQsPAuZ2+AV/J7ciU6AKYVskLf2TkCqhoDooDTfsaHfqGGjtaSORyJbFxtgTNCtxJwgNVpSM0PrINV2UsnxrFVdFxmpSohGzuo3IsN+m73mtWlDaLCOOK4M5dUWmfWYcvMg3pd4EuhtYF0uph7pMNTnDMi9iRxGF5M5+GJ4wOoAWXuyUVWC302TS41Ed/pOrC8vKX7KnBFBd7em2z1HjZat4nAzYmjqyVChglatzSupAa6yx7e+YGiGHottiFSH59pzUlAQkF8d0CumFc3i7yaDdnCiTkXNMYHiKh1VnzCksuFSfOKqYUWtaM5rXqeU4pjN1SA8wvLzIFkqpxyROlf4XrO/EROVSksI3AsPsAfmEnvLMTS4DtlnCQWvPakdEPDOeTR9uJQzrhD+7nIXYkZzRGxw3I5CuQyB7TJrxYn1UlQPuoP6aoEV0jsH7FMbPEl14XXUFY0h7yFq8JkhWI1+yTRItDnbRcI1JNQw3lNzRTUc+Pu4gxmFiqSslpuuzi/H7Zz4cDOdmb8xF5P1BRpvkC6VEU+XLR6JkNxV3KtWtFe7kBK9sv2/TUvWlGiuS3Te/TARM61zK/Y09jX+DskXshoCh8zkrHGe185wNqix3ljmS09Hr8/WC2Mk4L3L9vB1dPHmeFNnntC/j0KRJ5O64vBlwEFr9og7FO87s3w6KLKl24a4Q+apNcm6jna7szqNhXJfWgmv0u1PsF9+RS2oXJYgEy4quWs6a9zF1wm0IsM0G68siORq6IogCQfHnEro34sGhrrswEZjuTM7JqD2da6CMhirbyz6lvnqFkoRpGO4SVSNrcWyqEx22UoFj6vXcb/Ek7gr15fdPmzgK63ZTawIYsQrG059gD6yPTft/4ka8HfH/lo1EeXMT
Content-Type: multipart/alternative; boundary="_000_121FFF40C424458AADE67A563B43BB4Dmitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ac866d6a-2af3-4a47-97c6-08dcb89ced35
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2024 17:58:51.3445 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b5NWJakjWmBbC7Z6oaxXX8X1n0S6JdyM3l+GhHZ8cPsI+Bzv5JX2iEKUI2Nf3bbD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB6885
Message-ID-Hash: J5NC3GE4CKHTRAIN7HAKNECV33LU525C
X-Message-ID-Hash: J5NC3GE4CKHTRAIN7HAKNECV33LU525C
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/CqHJdBFLC-2KOWoavDSUWttmnMM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Hi Yaron,

[Chair hat on] That’s a great question and it raises the importance of dependencies between different parts of WIMSE work, which all of the document authors and contributors need to be aware of when working on these docs. Please note: It’s OK to non-normatively cite documents that are incomplete (i.e., still in the I-D phase), but care needs to be taken not to normatively cite something that is not done or else we have to ship the documents together in some way. Any such dependencies should be decided on explicitly by the WG.


[Chair hat off] That’s a great question and I think there’s a pretty straightforward way out of the dependency trap:

I would still like to see this document focus on my point (2) below and the implications of it, and cover all three cases. But on top of that, I think there’s room to mention that the token you get from any of these processes could be a regular access token, to be used at another RS, or some kind of other artifact like a WIT or a SPIFFE JWT-SVID or some assertion — all of which are NOT access tokens and are instead usually used to GET access tokens or do some other action. This document doesn’t need to (and shouldn’t) go into detail about the content and format of the tokens, but I do think it makes sense for this document to differentiate based on token use.

So that gives us a framework with three inputs paths and three output goals:

Inputs: environment, file system, socket

Outputs: access token, identity document, assertion

Maybe the identity document and assertion are actually the same? I don’t know, but they are clearly made for a different purpose from the access token, which is classically about an authorized grant of access and not the identity of a party. I think that this is where the PoP aspects can also be defined — where do the secrets come from? Are they parallel with the token or through something else? Are they ephemeral or part of the workload’s configuration? All of these are important discussion points that don’t directly require this document to define how to DO PoP on any type of token or use case.


 — Justin

On Aug 7, 2024, at 9:25 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

Hi Justin,

I’m puzzled by your proposal, because you are mixing existing deployments (workload security in K8s, the current focus of the document) with future, “aspirational” problems. The WIMSE token does not exist yet, all we have is a not-yet-adopted draft that defines it.

There’s a lot of value in documenting existing (pre-WIMSE) practices of getting workload credentials, and in recommending the best security for these practices.

In the future there may be value in having an Informational document about various ways of provisioning WIMSE tokens.

But mixing the two is IMHO a bad idea.

Thanks,
                Yaron


From: Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>
Date: Friday, 2 August 2024 at 0:31
To: wimse@ietf.org<mailto:wimse@ietf.org> <wimse@ietf.org<mailto:wimse@ietf.org>>
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Chair hat off — this is entirely my position as a member of the community.

My answer to the question is a form of (B), but I think there’s actually more to do than just add some OAuth considerations to the document.

As the document stands today, I do not believe that it addresses the milestone or deliverable as defined by the working group, in either its stated scope or its content. I would like to offer what I hope is a helpful framing of the goals that I believe this document should ascribe to. I believe the document can reach these goals if we choose to, but it would need a good amount of work to get to that point.


1) It should be informational, not BCP. We are far too early in the work of WIMSE to determine what "best practices" are by the IETF definition. [1]


2) It should explicitly enumerate and address the three non-oauth means of "getting a token" that are common in this space. These are hinted at in the document, but to my understanding these practices are:

 - Setting environment variables
 - Mounting a file on a virtual filesystem (usually through some container overlay, etc)
 - Reading from a local socket through an agent

Each of these approaches has different security considerations and tradeoffs, and this document is the perfect place to address each of these practices with clear, sober advice for implementors on what to choose and when to choose it.


3) It should focus on the token from (2) in the cases where it’s a WIMSE token, as defined by other docs in this WG. Specifically it should point out that what you’re mounting/loading/etc is not an "access token" in the traditional sense, as it’s not intended to directly call another service after an act of delegation. Instead, it’s a means of identifying the workload instance and allowing it to perform core functions, which might include getting an access token through some means.


4) It should point to other work for trading the WIMSE token from (3) for an access token where needed, these won’t be in this document. The WG has identified token exchange/translation and as-of-yet-undefined "local token issuance" as means of going from the WIMSE space into OAuth space, and vice versa. This document shouldn’t specify how to do any of that, but should instead point forward to other work as out of scope. This work could also talk about getting transaction tokens or other artifacts.


5) In the case where the token from (2) is actually an access token or used as such, there should be security considerations and discussion around the tradeoff — because somebody’s going to do it that way anyway regardless of how much we warn them. This document is a good place to discuss such tradeoffs — for example, you save a round trip, but now you have a much more dangerous artifact immediately available.


6) It should address but not define proof of possession, to the extent that it talks about loading and managing associated secrets alongside the token. The means of token PoP should be covered by other documents, such as the proposed S2S document.


I think that if we address the six points here, this document could be an incredibly useful piece of work for the wider community. I also don’t think it’s a massive amount of work to get there — certainly much more than what the document currently addresses, but as it’s informational and largely documenting and commenting on existing practices instead of inventing protocols and formats, I believe a lot of the knowledge already exists out there in the community and it needs to be distilled and edited.


— Justin

https://datatracker.ietf.org/doc/html/rfc1818


On Jul 29, 2024, at 6:21 AM, Pieter Kasselman <pieter.kasselman@microsoft.com<mailto:pieter.kasselman@microsoft.com>> wrote:

During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]:


  *   [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads.


This is intended to respond to the following milestone [3]:


  *   Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG


Please reply to the list to indicate which of the following options represent the appropriate scope for this document:


  1.  Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens.
  2.  Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens.
  3.  Need more information (please state what more information you need).
  4.  No opinion (i.e., this isn’t a topic you care strongly about).

Please reply to the list by August 12th, 2024.

Thank you,

Pieter and Justin

[1] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/
[2] https://datatracker.ietf.org/doc/charter-ietf-wimse/
[3] https://datatracker.ietf.org/wg/wimse/about/

v2.29.0 | Report a Bug | By Email | System Status